Safeguard Authentication Services 6.1

Safeguard Authentication Services provides a feature called "mapped user" where you can map local UNIX user accounts to Active Directory user accounts. Local users retain all of their local UNIX attributes such as UID Number and Login Shell, but they authenticate using their Active Directory password. Active Directory password policies are enforced. You can map users by editing configuration files on the UNIX host.

Advantages of mapped users:

Provides a rapid deployment path to take advantage of Active Directory authentication
Kerberos authentication provides stronger security
Enables centralized access control
Enforces Active Directory Password policies
Provides a path for consolidating identities in Active Directory with Ownership Alignment Too (OAT)
Low impact to existing applications and systems on the UNIX host
Easy to deploy with self-enrollment

By mapping a local user to an Active Directory account, the user can log in with their UNIX user name and Active Directory password.

NOTE: Active Directory password policies are not enforced on HP-UX systems that do not have PAM requisite support. To prevent users from authenticating with their old system account password after mapping, install the freely available PAM Requisite package provided by HP.

Using map files to map users

Instead of modifying password entries directly, you can map local UNIX users to Active Directory accounts using map files.

To configure a user mapping file

Run the following command as root to enable local map files:
```
vastool configure vas vas_auth user-map-files /etc/user-map
```
NOTE: This example configures Safeguard Authentication Services to use /etc/user-map for user mappings. You can specify any filename.
Add user mappings to the map file.

The format is <local user name>:<sAMAccountName@domain>.

If you want to map a local user named pspencer to the Active Directory account for pspencer@example.com, add the following line to the file:
```
pspencer:pspencer@example.com
```

Mapping the root account

You can only map the root account to an Active Directory account using the mapped-root-user setting in vas.conf.

To map the root user to an Active Directory account

Run the following command as root:

vastool configure vas vas_auth mapped-root-user Administrator@example.com

NOTE: If you specify mapped-root-user on AIX you must set VASMU on the system line of the root section in /etc/security/user. For more information, see your AIX system documentation.

Enable self-enrollment

Self-enrollment allows users to map their UNIX account to an Active Directory account as they log in to UNIX. This mapping occurs as part of the standard PAM login. Users are first prompted for their UNIX password. Once authenticated to UNIX, they are prompted to authenticate to Active Directory. This process happens on the first log in after you enable self-enrollment. Once the self-enrollment is complete, the user logs in with his UNIX user name and Active Directory password.

To enable self-enrollment

Run the following command as root:
```
vastool configure vas vas_auth enable-self-enrollment true
```
NOTE: All users mapped by the self-enrollment process are stored in the /etc/opt/quest/vas/automatic_mappings file.
Force Safeguard Authentication Services to reload configuration settings by restarting the Safeguard Authentication Services services.

Safeguard Authentication Services 6.1 - Administration Guide

Mapping local users to Active Directory users

Advantages of mapped users:

Using map files to map users

Mapping the root account

Enable self-enrollment

Bitte w&auml;hlen Sie Ihr Produkt aus:

Damit wir Ihnen besser helfen können, geben Sie den Grund Ihres Chats an:

Empfohlene Lösungen für Ihr Problem

Safeguard Authentication Services 6.1 - Administration Guide

Mapping local users to Active Directory users

Advantages of mapped users:

Using map files to map users

Mapping the root account

Enable self-enrollment

Bitte wählen Sie Ihr Produkt aus: